BZ994604 (https://bugzilla.redhat.com/show_bug.cgi?id=994604) has been opened. - DHC
On Wed, Aug 7, 2013 at 5:35 AM, Itamar Heim <ih...@redhat.com> wrote: > On 08/07/2013 12:10 AM, Dead Horse wrote: > >> I have found some steps to reproduce this easily. >> >> Start the engine bound to an AD for authentication >> log in to the user portal as an AD user which has been granted a Role (I >> used PowerUserRole) >> >> Result: Login will succeed >> Data from engine.log: >> 2013-08-06 15:54:10,088 INFO >> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-10) >> Running command: LoginUserCommand internal: false. >> 2013-08-06 15:54:10,139 INFO >> [org.ovirt.engine.core.dal.**dbbroker.auditloghandling.** >> AuditLogDirector] >> (ajp--127.0.0.1-8702-10) Correlation ID: 23c4709, Call Stack: null, >> Custom Event ID: -1, Message: User ovirttest logged in. >> >> log out of the user portal >> Result: log out succeeds >> Data from engine.log: >> 2013-08-06 15:54:12,448 INFO >> [org.ovirt.engine.core.bll.**LogoutUserCommand] (ajp--127.0.0.1-8702-2) >> Running command: LogoutUserCommand internal: false. >> 2013-08-06 15:54:12,474 INFO >> [org.ovirt.engine.core.dal.**dbbroker.auditloghandling.** >> AuditLogDirector] >> (ajp--127.0.0.1-8702-2) Correlation ID: 52a89e7d, Call Stack: null, >> Custom Event ID: -1, Message: User ovirttest logged out. >> >> As the same user log in to the user portal again but this purposely >> input the wrong password. >> Result: log in will fail >> Data from engine.log: >> 2013-08-06 15:54:20,830 ERROR >> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthentication** >> Strategy] >> (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication information >> was invalid (24) >> 2013-08-06 15:54:20,832 ERROR >> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthentication** >> Strategy] >> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the >> username and password. >> 2013-08-06 15:54:20,843 ERROR >> [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher] >> (ajp--127.0.0.1-8702-7) Failed ldap search server >> LDAP://foodc02.foo.test.com:**389 <http://foodc02.foo.test.com:389> < >> http://foodc02.foo.test.com:**389 <http://foodc02.foo.test.com:389>> >> using >> user ovirtt...@foo.test.com <mailto:ovirtt...@foo.test.com**> due to >> >> Authentication Failed. Please verify the username and password.. We >> should not try the next server >> 2013-08-06 15:54:20,850 ERROR >> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthentication** >> Strategy] >> (ajp--127.0.0.1-8702-7) Kerberos error: Pre-authentication information >> was invalid (24) >> 2013-08-06 15:54:20,851 ERROR >> [org.ovirt.engine.core.bll.**adbroker.**GSSAPIDirContextAuthentication** >> Strategy] >> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the >> username and password. >> 2013-08-06 15:54:20,852 ERROR >> [org.ovirt.engine.core.bll.**adbroker.DirectorySearcher] >> (ajp--127.0.0.1-8702-7) Failed ldap search server >> LDAP://foodc01.foo.test.com:**389 <http://foodc01.foo.test.com:389> < >> http://foodc01.foo.test.com:**389 <http://foodc01.foo.test.com:389>> >> using >> user ovirtt...@foo.test.com <mailto:ovirtt...@foo.test.com**> due to >> >> Authentication Failed. Please verify the username and password.. We >> should not try the next server >> 2013-08-06 15:54:20,853 ERROR >> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCommand] >> (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to domain >> gso.med.ge.com <http://gso.med.ge.com>. Ldap Query Type is getUserByName >> >> 2013-08-06 15:54:20,854 ERROR >> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCommand] >> (ajp--127.0.0.1-8702-7) Authentication Failed. Please verify the >> username and password. >> 2013-08-06 15:54:20,855 ERROR >> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-7) >> USER_FAILED_TO_AUTHENTICATE_**WRONG_USERNAME_OR_PASSWORD : ovirttest >> 2013-08-06 15:54:20,856 WARN >> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-7) >> CanDoAction of action LoginUser failed. >> Reasons:USER_FAILED_TO_**AUTHENTICATE_WRONG_USERNAME_**OR_PASSWORD >> >> Try again to log in as the same user this time typing the correct >> password. >> Result: Login fails! >> Data from engine.log: >> 2013-08-06 15:54:25,186 ERROR >> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCommand] >> (ajp--127.0.0.1-8702-7) Failed authenticating user: ovirttest to domain >> gso.med.ge.com <http://gso.med.ge.com>. Ldap Query Type is getUserByName >> >> 2013-08-06 15:54:25,187 ERROR >> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-7) >> USER_FAILED_TO_AUTHENTICATE : ovirttest >> 2013-08-06 15:54:25,187 WARN >> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-7) >> CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_** >> AUTHENTICATE >> >> Try again with another AD user. >> Result: Login fails! >> Data from engine.log: >> 2013-08-06 15:54:38,056 ERROR >> [org.ovirt.engine.core.bll.**adbroker.**LdapAuthenticateUserCommand] >> (ajp--127.0.0.1-8702-5) Failed authenticating user: ovirtadmin to domain >> gso.med.ge.com <http://gso.med.ge.com>. Ldap Query Type is getUserByName >> >> 2013-08-06 15:54:38,057 ERROR >> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-5) >> USER_FAILED_TO_AUTHENTICATE : ovirtadmin >> 2013-08-06 15:54:38,058 WARN >> [org.ovirt.engine.core.bll.**LoginUserCommand] (ajp--127.0.0.1-8702-5) >> CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_** >> AUTHENTICATE >> >> Logging into the admin portal as the admin@internal user will yield that >> engine seems to have forgotten about and can no longer enumerate AD >> users and groups. >> engine stays in this state until it has been restarted. >> >> I also note the two following errors in the engine log file as well: >> 2013-08-06 15:53:41,098 ERROR >> [org.ovirt.engine.core.dal.**dbbroker.generic.**DBConfigUtils] (MSC >> service >> thread 1-9) Could not parse option AutoRecoveryAllowedTypes value. >> 2013-08-06 15:53:41,161 ERROR >> [org.ovirt.engine.core.dal.**dbbroker.generic.**DBConfigUtils] (MSC >> service >> thread 1-9) Failed to decrypt value for property >> AttestationTruststorePass will be used encrypted value: >> javax.crypto.**BadPaddingException: Data must start with zero >> >> - DHC >> >> >> >> On Tue, Aug 6, 2013 at 1:31 PM, Dead Horse >> <deadhorseconsult...@gmail.com >> <mailto:deadhorseconsulting@**gmail.com<deadhorseconsult...@gmail.com> >> >> >> >> wrote: >> >> Really attaching logs from other install. >> - DHC >> >> >> On Tue, Aug 6, 2013 at 1:30 PM, Dead Horse >> <deadhorseconsult...@gmail.com >> <mailto:deadhorseconsulting@**gmail.com<deadhorseconsult...@gmail.com>>> >> wrote: >> >> Also I note that he login does succeed in the AD servers logs as >> well as the engine also acknowledges the same. However the login >> ends up in either the user logging in and the dialog sitting in >> space forever and/or the engine no longer enumerating the AD >> users/groups. >> >> Attached are logs from another install seeing the same thing. >> -DHC >> >> >> On Tue, Aug 6, 2013 at 1:20 PM, Dead Horse >> <deadhorseconsult...@gmail.com >> >> <mailto:deadhorseconsulting@**gmail.com<deadhorseconsult...@gmail.com>>> >> wrote: >> >> >> Seeing and issue where users are not able to log in. Also >> for some reason the engine is seemingly forgeting about AD >> users. Removing the AD domain via engine-manage-domains and >> re-adding it works for enumerating the users, however the >> first attempt to login as a user results in the engine no >> longer enumerating the users nor allowing logins. >> Attached are the pertinent logs. >> >> Engine is built and running from current master as of this >> morning, and was installed/built and upgraded via RPMs >> yum/engine-upgrade >> >> - DHC >> >> >> >> >> >> >> ______________________________**_________________ >> Engine-devel mailing list >> Engine-devel@ovirt.org >> http://lists.ovirt.org/**mailman/listinfo/engine-devel<http://lists.ovirt.org/mailman/listinfo/engine-devel> >> >> > thanks for reproducing with such clear steps. can you please open a bug? > yair - can you try and reproduce as well (I tried on an older rhev 3.2 i > have and couldn't with the IPA provider) >
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel